The purpose of this "Procedures and Guidelines" is to support the MTSU Electronic Mail Acceptable Use Policy by establishing guidelines and minimum requirements governing the acceptable use of
University-provided electronic mail (e-mail) services. By establishing and maintaining
compliance with this policy, risks and costs can be mitigated while the valuable potential
of this communication tool is realized. The objectives of the MTSU Electronic Mail
Acceptable Use Policy are to assure that:

The use of University-provided e-mail services is related to, or for the benefit of,
Middle Tennessee State University and the State of Tennessee;

Users understand that e-mail messages and documents may be subject to the same laws,
regulations, policies, and other requirements as information communicated in other written forms and formats;

Disruptions to University activities from inappropriate use of University-provided
e-mail services are avoided; and

Users are provided guidelines describing their personal responsibilities regarding
confidentiality, privacy, and acceptable use of university- provided e-mail services as defined by this policy.

II. MTSU E-MAIL POLICY SCOPE

The MTSU Electronic Mail Acceptable Use Policyapplies to all University employees, students, retirees, and holders of specially-granted
accounts (hereinafter referred to as "users") whose access to or use of e-mail services
is funded by the University and the State of Tennessee or is available through equipment
owned or leased by the University.

The University provides e-mail resources to support its work of teaching, scholarly
research, and public service. The MTSU Electronic Mail Acceptable Use Policy sets
forth the University's policy with regard to use of, access to, and disclosure of
e-mail to assist in ensuring that the University's resources serve those purposes.

Access to MTSU e-mail accounts is a privilege granted by the University. It should
be subject to all of the same general protections afforded to traditional "paper"
mail or telephone conversations. When a user sends e-mail, the user account identification
is included in each mail message. The user is responsible for all e-mail originating
from the userís account.

All users must be aware that e-mail and messages sent through computer networks, including
the Internet, may not remain confidential while in transit or on the destination computer
system.

E-mail refers to the electronic transfer of information typically in the form of electronic
messages, memoranda, and attached documents from a sending party to one or more receiving
parties via an intermediate network or telecommunications system. Stated differently,
e-mail is a means of sending messages between computers using a computer network or
over a modem connected to a telephone line. E-mail services, as defined in this policy,
consist not only of the use of University-provided e-mail systems but also the acts
of sending and receiving e-mail across the Internet.

E-mail is an efficient and timely communication tool that can be used to accomplish
University functions and conduct University business. E-mail can help the University
improve the way it operates by providing a quick and cost-effective means to create,
transmit, and respond to messages and documents electronically. Well-designed and
properly managed e-mail systems expedite communication, reduce paperwork, and automate
routine office tasks thereby increasing productivity and reducing costs. Daily tasks
are accomplished more rapidly as individuals use e-mail services for sending and receiving
text as well as avoiding "telephone tag".

A number of characteristics distinguish e-mail from other means of communication,
such as paper records, telephones, and information stored on electronic media. Awareness
of these characteristics should guide individual and University use of e-mail services.

E-Mail Backups. E-mail systems and the systems involved in the transmission and storage of e-mail
messages are usually "backed up" by systems administration on a routine basis. This
process results in copying data, such as the content of an e-mail message, onto storage
media that may be retained for periods of time and in locations unknown to the sender
or recipient of a message. The frequency and retention of backup copies vary from
system to system and relevant disk to disk. While it may be difficult and time consuming,
it should be assumed that backup copies of e-mail messages may exist and can be retrieved,
even though the sender or recipient has discarded his/her copy of a message.

Passwording E-mail Accounts. While password protecting an individualís e-mail account may be considered beyond
usual measures taken to protect access to paper records and telephones, it does not
confer a special status on e-mail records with respect to applicability of laws, policies,
and practices. A password helps to prevent modification of e-mail documents by others.

Network and Systems Management. In the course of their work, system administrators or their designees may access
the network or e-mail system. Therefore, the content of e-mail messages may be seen
by these authorized individuals during the performance of their duties.

E-Mail Forgery. No system of communication is completely secure, including e-mail. Just as with
paper communications, an e-mail message can be forged, and it can be distributed beyond
the address list originally defined by its author.

Virus Threat. E-mail is the most frequently used method for transmitting computer viruses. Executable
files (e.g., *.exe, *.com) and documents containing viruses can be transmitted via
e-mail. These files and documents which may be attached to e-mail messages must always
be checked for viruses before they are accessed, executed, or distributed to other
users.

Legal Implications. E-mail and other electronic files may be accessed through public record requests
or through the discovery process in the event of litigation.

Using e-mail to interfere with the normal operation of university computing systems
and connected networks including, but not limited to, introducing viruses, sending
chain letters, or unfairly monopolizing resources that results in the exclusion of
others.

Using university e-mail for profit or commercial purposes, except for the use of authorized
sites.

Users of e-mail should adhere to the follow practices:

Conclude each e-mail message with a signature file and contact information.

Determine if replies are appropriate for all or only a portion of the recipients
when responding to e-mail sent to multiple recipients.

Include the original message when replying only if necessary.

Verify the status of the e-mail being sent to prevent duplicate e-mail transmissions.

Keep distribution lists clean and updated.

Use clear, meaningful subject headers.

Use good judgment when sending potentially sensitive material to multiple recipients.

Do not open email attachments unless you trust the source.

Send attachments only when the message cannot be included as plain text.

E-mail that is created in the normal course of University activity and retained as
evidence of official policies, actions, decisions, or transactions are public records.
These records are subject to records management requirements under T.C.A. 10-7-301
through 10-7-308, and the rules of the Public Records Commission. A public record is defined as follows:

"Public record(s)" or "state record(s)" means all documents, papers, letters, maps,
books, photographs, microfilms, electronic data processing files and output, films, sound recordings or other material, regardless
of physical form or characteristics made or received pursuant to law or ordinance or in connection with the transaction of
official business by any governmental agency. (TCA 10-7-301, Paragraph 6)

Records transmitted using e-mail need to be identified, managed, protected, and retained
as long as they are needed to meet historical, administrative, fiscal, or legal requirements
of the University in keeping with its mission. Records needed to support University,
College and Departmental functions must be retained, managed, and accessible in record-keeping
or filing systems in accordance with established records disposition authorizations
approved by the Public Records Commission.

Middle Tennessee State University, in accordance with this statute, is required to
designate records officers who are responsible for coordinating records management
programs for the various Executive, Administrative, and Academic divisions of the
University. (TCA 10-7-304)

Retention and disposition of public records is determined per statute by the Public
Records Commission based on an analysis conducted by a qualified Records Analyst to
determine the administrative, fiscal, legal and historical value of the record.

Electronic records are generally defined as records stored in a form that only a computer
can process. In accordance with established statutes, electronic records are to be
managed and maintained in accordance with their administrative, fiscal, legal and
historical values. In addition, these records are to be made available for public
inspection upon request unless designated confidential by statute.

Communications of University personnel that are sent by electronic mail may constitute
"correspondence" and, therefore, may be considered public records subject to public
inspection under Tennessee's Public Records Act.

The individual to whom the message is addressed becomes the legal "custodian" once
the message is received and is the person responsible for ensuring compliance with
the Public Records Act. Although the University periodically backs up information
residing on system hard drives, this is not done for archival purposes to meet the
requirements of the Public Records Act, but as a safety measure in case of system
failure or unlawful tampering ("hacking"). The system administrator is not the legal
custodian of messages which may be included in such back up files.

E-Mail messages generally fall into two categories.

First, some e-mail is of limited or transitory value. For example, a message seeking
dates for a proposed meeting has little or no value after the meeting date has been
set. Retention of such messages in the computer system serves no purpose and takes
up space. Such messages may be deleted as soon as they no longer serve an administrative
purpose.

Second, e-mail is sometimes used to transmit records having lasting value. For example,
e-mail about interpretations of University policies or regulations may be the only
record of that subject matter. Such records should not be maintained in e-mail format,
but should be transferred to another medium and appropriately filed, thus permitting
e-mail records to be purged at regular intervals.

While the methods for reviewing, storing or deleting e-mail vary, compliance with
the retention requirements of the Public Records Act may be accomplished by doing
one of the following:

Print the e-mail and store the hard copy in the relevant subject matter file as would
be done with any other hard-copy communication. Printing the e-mail permits maintenance
of all the information on a particular subject matter in one central location, enhancing
its historical and archival value.

Electronically store the e-mail in a file, a disk, or a server, so that it may be
maintained and stored according to its content definition under the division's records
retention policy.

Middle Tennessee State University has the responsibility to ensure that state-provided
e-mail services are used for internal and external communications which serve legitimate
educational functions and purposes consistent with the University's Mission. The University
is responsible for the e-mail activities of its users and must familiarize each user
with what is considered appropriate use of state-provided e-mail services. Managerial
authority over e-mail services must be defined, and user training programs provided
which address e-mail usage and policies. The University Information Technology Division (ITD) hosts several of these programs each semester.

A University "Use Agreement" for e-mail services which stipulates compliance to the
MTSU Electronic Mail Acceptable Use Policy must be agreed to by each user if they are to retain or be provided e-mail services.
Any significant problems encountered in using e-mail communications should be brought
to the attention of the the University Information Technology Division (ITD) Help Desk or call 898-5345.

The MTSU Electronic Mail Acceptable Use Policy is intended to be illustrative of the range of acceptable and unacceptable uses of
the University's e-mail facilities and is not necessarily exhaustive. Questions about
specific uses related to security or privacy issues not enumerated in this policy
statement should be directed to the University Information Technology Division. Reports of specific unacceptable uses should be directed to abuse@mtsu.edu. Other questions about appropriate use should be directed to the userís supervisor,
department chair or dean.

Users should be aware of potential e-mail security problems before transmitting private
or confidential messages. E-mail is not private communication. All information transmitted
via the University's Internet/e-mail system is the property of the State and is subject
to review at any time. E-mail correspondence may best be regarded as a postcard rather
than as a sealed letter. Disclosure may occur intentionally or inadvertently when
an unauthorized user gains access to electronic messages. Likewise, disclosure may
also occur when e-mail messages are forwarded to unauthorized users, directed to the
wrong recipient, or printed in a common area where others can read them.

Users must be aware of the classification of any information contained in data files
or correspondence which they are transporting using e-mail communications and to not
exchange information in un-encrypted form which is confidential. Under no circumstances
should data ever be transported, which if intercepted, would place the University
in violation of any law.

The content of anything exchanged (sent or received) via e-mail communications (regardless
of its state of encryption) must be appropriate and consistent with University and
State policy, subject to the same restrictions as any other correspondence.

All University users, including those employed by the University, who are granted
access to e-mail services need to use that access in a way which is consistent with
their job function even when the access is off-hours.

E-mail communications, if allowed to accumulate on a server, can quickly consume the
server's disk space and may cause system problems. Although deletion of unnecessary
e-mail is encouraged, users should consult the University's record retention guidelines
for proper instruction regarding disposal or archival of e-mail correspondence.

As with any state-provided resource, the use of e-mail services should be dedicated
to legitimate University activities and is governed by rules of conduct similar to
those applicable to the use of other information technology resources. The use of
e-mail services is a privilege which imposes certain responsibilities and obligations
on State users and is subject to State policies and local, State, and Federal laws.
Acceptable use must be legal, ethical, reflect honesty, and show restraint in the
consumption of shared resources. It demonstrates respect for intellectual property,
ownership of information, system security mechanisms, and the individual's rights
to privacy and freedom from intimidation, harassment, and unwarranted annoyance. All e-mail users should:

Acceptable e-mail activities are those that conform to the purpose, goals, and mission
of the university and to each userís job duties and/or responsibilities. The following
list, although not inclusive, provides some examples of acceptable uses:

Communications, including information exchange, for professional development or to
maintain job knowledge or skills;

Use in applying for or administering grants or contracts for University research programs
or work-related applications;

Communications with other University agencies and research partners of university
agencies providing document delivery or transferring working documents/drafts for
comment;

Announcements of University regulations, procedures, policies, services, or activities;

Use involving research and information gathering in support of advisory, standards,
analysis, and professional development activities related to the user's University
duties; and

Communication and information exchange relating directly to the mission, charter,
and work tasks of the University including e-mail in direct support of work-related
functions or collaborative projects.

NOTE: Users may be subject to limitations on their use of e-mail as determined by
the appropriate supervising authority. Users are advised to remove themselves from
e-mail lists not dealing with work-related topics.

The use of any University resources for e-mail must be related to University business,
including academic pursuits. Incidental and occasional personal use of e-mail may
occur when such use does not generate costs to the University. Any such incidental
and occasional use of University e-mail resources for personal purposes is subject
to the provisions of this policy.

Unacceptable use can be defined generally as activities that do not conform to the
purpose, goals, and mission of the University and to each userís job duties and responsibilities.
Any e-mail usage in which acceptable use is questionable should be avoided. In other
words, when in doubt seek policy clarification prior to pursuing the activity. The
following list, although not all-inclusive, provides some examples of unacceptable
uses:

Private or personal for-profit activities. This includes use of e-mail services for
private purposes such as marketing or business transactions, private advertising of
products or services, and any activity meant to foster personal gain;

Personal use that creates a direct cost to the University;

Unauthorized not-for-profit business activities. This includes the conducting of any
non-University-related fund raising or public relations activities such as solicitation
for religious and political causes;

Transmission of incendiary statements which might incite violence or describe or promote
the use of weapons or devices associated with terrorist activities;

Use for, or in support of, unlawful/prohibited activities as defined by federal, state,
and local laws or regulations. Illegal activities relating to e-mail and network access
include, but are not limited to:

Violating the privacy of individual users by reading their e-mail communications unless
specifically authorized to do so;

Attempts to subvert network security, to impair functionality of the network, or to
bypass restrictions set by the network administrators. Assisting others in violating
these rules by sharing information or passwords is also unacceptable behavior;

Attempts at forgery of e-mail messages is prohibited as is the construction of e-mail
communication so that it appears to be from someone else, also known as "spoofing,";

Deliberate interference or disruption of another userís work or system. The user
must avoid any actions that cause interference to the network or cause interference
with the work of others on the network by "flooding" via the use of various automated
e-mail generation systems;

Users are prohibited from performing any activity that will cause the loss or corruption
of data, the abnormal use of computing resources (degradation of system/network performance),
or the introduction of computer worms or viruses by any means (use of programs with
the potential of damaging or destroying programs and data);

Distribution of "junk" mail, such as chain letters, advertisements, or unauthorized
solicitations; and unauthorized distribution of University data and information.

In an operational sense, files in users accounts and data on the network are regarded
as personal: that is, employees of the University do not routinely monitor this information.
However, the University reserves the right to view or scan any file or software stored
on University systems or transmitted over University networks, and may do so periodically
to verify that software and hardware are working correctly, to look for particular
kinds of data or software (such as computer viruses), or to audit the use of University
resources. Violations of policy that come to the Universityís attention during these
and other activities will be acted upon.

The University will make reasonable efforts to maintain the integrity and effective
operation of its e-mail systems, but users are advised that those systems should in
no way be regarded as a secure medium for the communication of sensitive or confidential
information. Because of the nature and technology of electronic communication, the
University can assure neither the privacy of an individual user's use of the University's
e-mail resources nor the confidentiality of particular messages that may be created,
transmitted, received, or stored thereby.

Data on University computing systems may be copied to backup drives or tapes periodically.
The University makes reasonable efforts to maintain confidentiality, but if users
wish to ensure confidentiality, they are advised to encrypt their data. Although users
may use encryption software, they are responsible for remembering their encryption
keys; once data is encrypted, the University will be unable to help to recover it
should the key used to encrypt the data be forgotten or lost . Additionally, any
user of the University's e-mail resources who makes use of an encryption device to
restrict or inhibit access to his or her e-mail must provide access to such encrypted
communications when requested to do so under appropriate University authority.

When sources outside the University request an inspection and/or examination of any
University owned or operated communications system, computing resource, and/or files
or information contained therein, the University will treat information as confidential
unless any one or more of the following conditions exist:

When approved by the appropriate University official(s) or the head of the Department
to which the request is directed

When authorized by the owner(s) of the information

When required by Federal, State, or local law

When required by a valid subpoena or court order

Note: When notice is required by law, court order, or subpoena, computer users will
receive notice of such disclosures (viewing information in the course of normal system
maintenance does not constitute disclosure).

The Family Educational Rights and Privacy Act, or FERPA, requires the University to
protect the confidentiality of student educational records. These include academic
records, financial records, disciplinary records, medical records and placement office
records. To be in compliance with FERPA, the University must receive the written
consent of a student or a court order before disclosing information. The rights of
a student user to see his or her records does not extend to parents or guardians.

Additionally, the University may not release directories, rosters, lists or address
labels of students to parties not affiliated with the University when a student has
requested that this information be withheld. And, the University may not post grades
and test scores publicly using any personally identifiable information, without the
written consent of the students involved.

Users can expect that e-mail messages exchanged within the University and on the network
are only somewhat confidential because the University itself does not monitor student's
or employee's use of e-mail. All users should be aware, however, that e-mail messages
are written records that could be subject to review with just cause and may be subject
to Freedom of Information Act requests.

Violations of the MTSU Electronic Mail Acceptable Use Policy may subject users to the regular disciplinary processes and procedures of the University
for students, staff, administrators, and faculty and may result in loss of their computing
privileges.

Illegal acts involving University computing resources may also subject violators to
prosecution by local, state, and/or federal authorities. Suspected law violations
may be referred to police agencies.

If a user is found to have violated the MTSU Electronic Mail Acceptable Use Policy, the user's computing privileges at MTSU may be permanently and totally removed.
There will be no refund of any technology access fees.

Student users in violation of the MTSU Electronic Mail Acceptable Use Policy may be recommended for suspension or dismissal from MTSU. Employees in violation
of the Policy may be recommended for termination from MTSU employment.

Disclaimer: As part of the services available through the Universityís campus network,
access is provided to a large number of conferences, lists, bulletin boards, and Internet
information sources. These materials are not affiliated with, endorsed by, edited
by, or reviewed by the University, and the University takes no responsibility for
the truth or accuracy of the content found within these information sources. Moreover,
some of these sources may contain material that is offensive or objectionable to some
users.

Monitoring and Enforcement:

In general, the following procedures should be used in monitoring and enforcing e-mail
etiquette and policy:

Responsibility: All University community users are responsible for monitoring e-mail to ensure that
etiquette is observed and that e-mail use is in accord with University, State, and
Federal policy, law, and regulation.

Issues of Etiquette: Concerns over issues of e-mail etiquette by faculty, staff, and administration should
first be discussed with the offender. If the etiquette issue continues, the offended
user should alert their supervisor who may discuss it with the offender's supervisor.
Violations of etiquette by students should be discussed with the offender.

Violations of Policy: Violations of the Middle Tennessee State University Electronic Mail Acceptable Use
Policy should be discussed with the offender. If such behavior continues, the offended
user should alert their supervisor to discuss the violation with the offender's supervisor.
Complaints involving policy violations by students should be discussed with the Assistant
Dean in the Office of Judicial Affairs and Mediation Services, Division of Student
Affairs. If the policy violation persists, the e-mail account may be restricted or
removed. Complaints and offending e-mail may also be forwarded to abuse@mtsu.edu.

Violations of Law: When violations of law are alleged, the offended user should inform their supervisor,
the alleged offender's supervisor, the Director of the Information Technology Division,
and the appropriate Vice President. Together, these parties will decide whether the
alleged offender should be disciplined within University guidelines for similar offenses
and/or turned over to University attorneys for legal action. Complaints involving
violations of law by students should be discussed with the Assistant Dean in the Office
of Judicial Affairs and Mediation Services, Division of Student Affairs. Complaints
and offending e-mail may also be forwarded to abuse@mtsu.edu.

Computer viruses infect computer systems by physical contact. Computer viruses are
really segments of program code that interfere with the smooth running of the programs
and data on a personal computer. The virus code resides on a portable media or on
another computer system on a network. When the virus code is copied from that media
or from another computer system over the network, it infects the system it is copied
onto.

Viruses are designed and may be propagated by malicious users. Virus code may be
surreptitiously inserted into files with the intent of damaging other users computer
systems. Quite often viruses are made available under false pretenses. Eventually,
someone uses the infected file. The physical contact is made, and the virus starts
to spread.

Many other viruses, however, destroy data and render computer systems inoperable.
The Michelangelo virus overwrites the hard disk. The Jerusalem virus deletes executable
files. Some viruses -- called "rabbits" -- just reproduce, eventually taking up all
processor capacity, memory and disk, denying the user access to system resources.

Be suspicious of freeware and shareware.

Be wary of downloading files from electronic bulletin boards or news groups.

Make, store and routinely check backup copies of all files and programs. Keep the
backups for as long as six months to a year.

Unfortunately computer abuse, harassment, malicious behavior, and unauthorized account
access do happen. Should any of these things happen to a University user, it should
be reported to the user's immediate supervisor, the Information Technology Division
system administrator, or other appropriate University authorities. Computing resource
abuse should be reported to the e-mail address abuse@mtsu.edu. This will alert University staff to the situation. Users should be aware that investigating
authorities will want the offended user to retain harassing e-mail messages, dates
and times of unauthorized access, etc., for investigative purposes. Cases are handled
individually and confidentiality.

Threatening e-mail must be viewed as anti-social behavior and is a violation of University
policy, State and Federal law. Respectful users of the Internet abide by the same
principles of fairness, decency and respect used everywhere else. If a University
user receives threatening e-mail, contact abuse@mtsu.edu.

The State of Tennessee and the University owns the central computers, computer labs,
the microcomputing sites, the computers it places on its employees' desks and all
the software it has installed on them. The University determines who may use these
resources and how they may use them.

The State of Tennessee and the University owns the University network - all the wires,
cables and routers that connect the central computers, computer labs, microcomputer
sites and the campus connections that allow the networkability of personal computers
to each other and to the Internet. The University determines who is authorized to
use its network.

The University will determine basic user disk space allocations and will alert users
when this maximum allotment has been reached. Users must expediently remove or transfer
files from their allocated disk area when prompted to do so by University computer
system administrators.

University policy on e-mail establishes that the messages users receive and transmit
may not remain private due to the open structure of network transmissions [1], [2], [3]. However, users can expect that their accounts will not be monitored by the University
or the State on a regular basis. Additionally, users must be aware that in case of
system problems, through hardware or software failure or through attacks by malicious
users, the staff who maintain the central computers and disk stores are authorized
to look at any information or any files necessary to correct network system problems
and to protect the various computing systems and the information they contain. Such
situations are rare.

The University respects user's privacy to all reasonable limits. However, it can
not be assumed that messages and files remain private in all cases. In addition to
the authorized actions of system administrators working on problems, user's e-mail
could end up in the hands of computing staff if it was so badly misaddressed that
it can't be delivered, and it is possible to make mistakes in addressing e-mail that
places private messages in the mailbox of someone other than the intended recipient.
Courts have also ruled that e-mail records and information in electronic form on central
computers can be subpoenaed in some cases. Under present circumstances, the privacy
of user's e-mail can't be guaranteed.

Above all else, users must not permit anyone else to use their MTSU computing ID and
password to gain access to their files.

The University respects and encourages the dissemination of ideas and communication
regarding specific academic disciplines. Faculty users may wish to initiate and moderate
Listservs which allow the rapid electronic communication of many list members on topics
related to the creation of the list. These Listservs may grow in popularity and stature
based upon the worldwide number of those who subscribe to the list and whose interests
are similar.

Listserv management may support the ability of new or old subscribers to sort through
previous postings to the Listserv. The University ITD has established the position
of Listserv Administrator to aid those on campus with the creation of Listserv Archives.
However, as noted in Section XIV, the State of Tennessee and the University own all disk space in University computing
systems. Provisions will be made for Listserv archive space provided that maintenance
of the Listserv is in keeping with the mission of the University. In most cases,
the archive of postings to a Listserv will extend to one year's time. It will be
the responsibility of the Listserv moderator to store postings more than one year
old. If a Listserv moderator would like to make postings more than a year old available
on-line, it will be necessary for the moderator to petition the appropriate supervisory
Vice President for funds for additional disk space.

Owners of standing e-mail lists and identified moderators of Listservs, whether involuntary
or voluntary, are expected to develop and monitor compliance with written operating
procedures for the use of their lists. All list owners are encouraged to consider the benefits of moderating or otherwise controlling
access to large lists. This applies whether a list has been created for one-time use
or is maintained as a standing list, whether compiled manually or from the central
database, and whether involuntary or by subscription.

All electronic communications are expected to comply with relevant federal and state
laws, as well as University regulations and policies, including those governing public
computing resources, security considerations, and ethics in computing. The texts
of these policies and handbooks outlining responsible computer usage at the University
are available on-line at http://www.mtsu.edu/itd/policies_home_itd.php Revocation of one's network access is among the possible sanctions for violating
the terms of these policies.